05/08/18: Drupal Remote Code Execution

Overview

Alert Logic® has released coverage for exploits discovered by Drupal on March 28, 2018 (CVE-2018-7600) and April 25, 2018 (CVE-2018-7602) and continues to conduct research on them. These remote code execution vulnerabilities exist within multiple subsystems of Drupal 7.x and 8.x and have the potential to allow attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.

Vulnerability Description

CVE-2018-7600, also known as Drupalgeddon2, makes affected versions of Drupal vulnerable to remote code execution via multiple paths throughout the codebase. The total compromise of a webserver is possibly by allowing an unauthenticated user to perform remote code execution attacks on systems running default installations of Drupal 7.x and 8.x.

Alert Logic Coverage

Coverage has been developed and deployed for the following Alert Logic solutions:

Alert Logic Threat Manager™ intrusion detection system - Telemetry signatures for both vulnerabilities were released on April 13, 2018.

Threat Manager & Alert Logic Cloud Insight™ scanning - Scan coverage for CVE-2018-7600 was released on April 2, 2018 and for CVE-2018-7602 on April 24, 2018.

Alert Logic Web Security Manager™ and Web Security Manager Premier™ - Coverage for these products is under investigation. Concerned customers with exposed Drupal installations can contact Alert Logic via ticket to deploy coverage appropriate for their environments. This article will be updated when general coverage is available.

Recommendations for Mitigation

Software patches are available for both CVE-2018-7600 and CVE-2018-7602. Alert Logic strongly advises that you update to the most recent version of Drupal core 7.x and 8.x. Specifically, users should implement the following updates:

If you are running 7.x, upgrade to Drupal 7.59.

If you are running 8.5.x, upgrade to Drupal 8.5.3.

If you are running 8.4.x, which is no longer supported, upgrade to Drupal 8.4.8 and then to Drupal 8.5.3 as soon as possible.